Did you know that, on average, it only takes a hacker ten hours to exploit a vulnerability in your system, i.e. gain access? If they are stealthy enough and have a good strategy, they will steal your data in 24 hours. What for? To sell it on the black market or blackmail you.* This kind of activity is filling the pockets of hacker corporations worldwide. But security testing can turn the trend around.
In October, Cybersecurity Awareness Month, cybersecurity professionals are encouraging you to act responsibly online and pointing out the importance of raising awareness and carrying out security testing. However, one month of intensive awareness-raising a year is not enough to establish a satisfactory or desired level of cyber security in an organization. Cybercriminals are continuously developing new attack techniques and improving their skills. If you do not follow the trends, test your security, and train your users, you can quickly fall into their trap.
What drives organizations to start managing cyber security strategically?
- Compliance with laws and standards
This is particularly relevant for organizations defined as “critical infrastructure”. Changes are on the horizon in this area as the European Commission prepares a revised NIS Regulation that will broaden the range of industries covered by critical infrastructure. - Attempts of attack or even a successful attack
The second reason why organizations choose to test and harden their cyber security is because of detected attack attempts or successful attacks. Although the damage, in this case, has already been done, the organizations are usually highly engaged and motivated to improve their security posture. - Competitive advantage
Cyber security has also become a competitive advantage, particularly in application security and other user-related solutions. This trend is particularly evident in the development of solutions designed to protect personal or business data and assets.
The three components of cyber security: protect, test, respond
Cybersecurity management typically runs at three levels:
- Protecting assets from cyber intrusion through security solutions (e.g. FWNG, SIEM, DLP) and policies (e.g. standards and regulations),
- Testing the effectiveness of implemented solutions and policies; and
- Responding to detected intrusion attempts by an internal or external team of experts (SOC).
Security devices are becoming increasingly sophisticated and able to detect advanced attacks. A reasonable selection of these devices can significantly contribute to network protection and facilitate the detection of security incidents. This brings us to the third component: the response. It must be as fast as possible to reduce an attacker’s time to break into a system successfully.
Testing can be placed between protection and response, as it is crucial for the effective functioning of the other two components. This is because the implemented security solutions have a different impact on the relationships between the individual components in the overall architecture of individual IT systems. Just as we test an alarm device before using it, it makes sense to test the performance of a firewall or SIEM system. The test and the performance report give you information on whether the implemented solution is working according to your expectations and needs or not.
At the response level, a security test is a driver for improving the performance of the response centre. Every day, new vulnerabilities emerge that cause gaps in the system’s cybersecurity. The response centre must continuously adapt to new conditions on the cyber battlefield and can only verify the robustness of its defences with a test attack.
Each security test has its purpose and objective
When planning security testing, it is essential to have a clear purpose and objective for the test. Security testing is not a “hack and slash” exercise but an activity with a clear goal, usually following a predefined methodology. This ensures that the tests are transparent and repeatable.
Penetration testing of individual system components to identify security weaknesses
Penetration testing can be used to test external networks, internal networks, web and mobile applications, or specialized systems such as industrial (SCADA) systems or solutions involving hardware and software. Penetration testing aims to improve the cyber security of the tested system or solution. Therefore, the customer must clearly define which assets they want to test and how (black-box, grey-box, white-box).
Testing user awareness with simulations of social engineering attacks
Social engineering or phishing simulations are a test and a training programme at the same time. Such a test aims to identify how vulnerable an IT system is on the human level and where it is necessary to fortify the defence line. By simulating attacks, users learn to identify red flags for a cyber-attack and gain skills to prevent such an attack. It is essential to run simulations frequently (e.g. weekly or monthly) and use different training materials. Such testing aims to reduce the possibility of a hacker entering the company via a user, and to build a security-aware employee community.
Red Teaming – response to attack exercise
The Red Teaming exercise aims to test how well your IT team or Security Operations Centre (SOC) responds to an attempted attack. The internal IT team is not informed about this test as it is a simulation of an actual attack. Such a test is usually carried out over several months. Attacks should be conducted in a low-key manner, with the operators wanting to remain undetected for as long as possible. The aim of the Red Teaming exercise is to improve the response to an attempted attack; therefore, it is recommended that the testers and the internal IT team discuss ways to improve their system after the exercise. Good internal communication is also crucial in such a test; management should make it clear to the IT team that the aim of the test was to improve the performance of the system, not to find somebody guilty of the intrusion.
Identify your attacker persona and select the appropriate security testing
The above was just a brief overview of the wide range of security tests that can be used to check the protection and defence of your IT system. Your needs and objectives dictate which security test you will include in your cyber security strategy.
Another critical point to consider when developing your strategy is that you can do the most for your system’s cyber security if you understand who your enemies are and their motives and goals. If you have not yet analyzed your potential attacker, this can be one of your goals for the next period. Involve as many stakeholders in your organization as possible in this process. An employee in the IT department will likely highlight different motives for an attack than an employee in sales or operations. The more information you obtain, the clearer the picture you will be able to build. Knowing the potential attacker gives you the answer to which attack scenarios are most likely in your organization and helps you prepare accordingly.
Remember: just as you have limited resources to invest in cyber security, so does an attacker have limited resources to carry out an attack. Optimizing the security solutions you have in place can significantly increase the time an attacker takes to enter your system. Additionally, you increase the attacker’s research, development, and preparation costs.
Regular security testing and optimization can help you increase the cost of an attack and ensure it is not feasible for an attacker to invest in developing or buying 0-day vulnerabilities to break into your system. If users don’t open the door by clicking on a malicious link or file, hackers may resign on your IT system’s doorstep.
Want advice on making smart cybersecurity investments in your organization?
** The offer is valid until October 31 2022. The offer is valid for end customers, not of IT service providers.